When IBM released its Mid-Year Trend and Risk Report showing Google ranked with the highest number of critical and unpatched high vulnerability disclosures, Google naturally challenged the findings. This comes hardly as a surprise; what was surprising was IBM's hasty backpedaling and "reassessing" of its scoring criteria, which lists itself in the first position now, in a distinct twist of irony.

Tom Cross, manager of X-Force Research--which compiled the report--wrote: "As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart."

According Google, their dismal performance of "33 percent of critical and high-risk bugs" in their own software came from a grand total of three unpatched vulnerabilities, of which the unpatched flaw actually was an incorrect classification. As such, Google scored zero unpatched vulnerabilities out of two high-risk bugs, which effectively took it out of the ranking.

What this incident brought to light is the inconsistent manner--and the sheer difficulty--of classifying security vulnerabilities, which I dwell more on in today's editorial.

For more on this story:
- check out this article at Dark Reading
- check out this article at Information Week